NTT Smart Trade

Powerful support for PCI DSS v3.0 conformity through multi-OS compatibility and central management

Overview

Amid the rapid expansion of cybercrimes, NTT Smart Trade launched a sweeping reform of its financial services platform. The company also wanted to fortify the security of its new services platform as follows:

Challenges

NTT Smart Trade Inc. is a fully owned subsidiary of NTT Communications. Since 2010, the company has made contributions to the development of the Internet as a business platform, through its involvement in electronic money settlement, credit card settlement, remittance, and other financial services. The company's Information Systems Department is engaged in a reform of its services platform—the IT infrastructure supporting all the company’s services.

At the same time, the Information Systems Department is wrestling with an additional issue: conformity with the PCI DSS v3.0 international standard for credit card data security. Although NTT Smart Trade achieved PCI DSS v2.0 certification in December 2014, PCI DSS mandates an update every year. Therefore, the new services platform will have to conform to the new v3.0 requirements.

Enhancing the security of the services platform was already a key issue for NTT Smart Trade, points out Ken Horichi, general manager of the Information System Department. "We provide services that strictly manage customer information and credit card information. Earning customers' trust is vital. With cyber risks continually on the rise, further strengthening the security of our services platform is an inevitable undertaking."

The solution that Mr. Horichi selected to strengthen the security of the company's new services platform is Trend Micro™ Deep Security™.

“We found no other tool could provide such fine-toothed security features in a mixed server environment. The support for PCI DSS conformity is another benefit, and the price is reasonable for its multi-functionality. Deep Security was the best choice for our company, both for fortifying defenses for our new services platform and for meeting the requirements of PCI DSS v3.0.”

Solution

One of the reasons Mr. Horichi's select Deep Security is its effectiveness as a solution for supporting PCI DSS conformity. "Deep Security's varied and flexible features and design were also compelling," he adds.

The servers consist NTT Smart Trade's new services platform are all deployed in virtual environments, with dozens of servers aggregated into 4 physical units. Windows Server, Linux, and Solaris operating systems are running in the virtual environments. NTT Smart Trade's plan is to install Deep Security Agent on all of these server operating systems, for integrity monitoring (i.e., tampering detection), log inspection, anti-virus, and other tasks. "The advantages of Deep Security are in its multi-functionality and its compatibility with a multi-platform setup. What we especially appreciated is its support for integrity monitoring on Solaris. We really found Deep Security to be a product that fills a need for us," says Mr. Horichi. He further adds, "We found no other tool could provide such fine-toothed security features in a mixed server environment. The support for PCI DSS conformity is another benefit, and the price is reasonable for its multi-functionality. Deep Security was the best choice for our company, both for fortifying defenses for our new services platform and for meeting the requirements of PCI DSS v3.0."

“PCI DSS mandates daily monitoring of logs. If we had to individually monitor and manage the logs of different systems, that alone would place a huge burden on the administrators. Instead, with Deep Security, we can perform centralized monitoring and management of all of the systems' logs from a single administration console. In other words, we can minimize the operations management burden required to meet the PCI DSS requirements.”

Results

The operational launch of the new services platform is scheduled for September 2015, and the company is still at the inspection stage in implementing Deep Security. However, the company has already discovered many benefits made possible by the product. Says Yasuyuki Oka, manager of the Information Systems Department, "The security measures we implement under Deep Security will be very easy to explain during PCI DSS audits, compared with the measures taken under the monitoring system we had developed ourselves. We feel the measures will have considerable real-world effect, too. I think Deep Security will prove an extremely dependable tool in our acquisition of PCI DSS v3.0 certification."

According to Mr. Horichi, Deep Security is very effective in reducing the burden of operations management for security measures. "As an example, PCI DSS mandates daily monitoring of logs. If we had to individually monitor and manage the logs of different systems, that alone would place a huge burden on the administrators. Instead, with Deep Security, we can perform centralized monitoring and management of all of the systems' logs from a single administration console. In other words, we can minimize the operations management burden required to meet the PCI DSS requirements."

Operations management of NTT Smart Trade's new services platform is planned to take place within an NTT data center, which itself is securely protected by WAF/IPS/IDS and other tools. Moreover, as NTT Smart Trade's services platform will be connected by closed network with banking and credit card companies, there is no concern over Internet-based threats.

NTT Smart Trade has chosen Deep Security to protect its services platform in combination with the data center's defenses, because of the threat posed by the diversification and expansion of cyber risks. Mr. Horichi notes, "Along with the rise of cyber risks, PCI DSS requirements are increasingly strict. Without centralized security operations management, the required increase in manual oversight would only increase the possibility of security oversights. For this reason and others, we rate Deep Security highly, and have great expectations for its further development."

“We've found that Deep Security lets us achieve the sort of security measures and operations that we had been seeking. We can even count on it in complying with PCI DSS.”